forgejo runner for nixos rebuild

modules/system/homelab/git.nix

@@ -1,5 +1,13 @@
 { pkgs, homelab, ... }: {
-  services.forgejo = {
+  security.sudo.extraRules = [{ # for configuration activation on push to git
+    users = [ "gitea-runner" ]; 
+    commands = [{ 
+      command = "/run/current-system/sw/bin/nixos-rebuild"; 
+      options = [ "NOPASSWD" ]; 
+    }];
+  }];
+  services = {
+    forgejo = {
       enable = true;
       lfs.enable = true;
       stateDir = "/mnt/data/forgejo";
@@ -32,7 +40,7 @@
           DISABLE_REGISTRATION = true;
           ENABLE_OPENID_SIGNIN = false;
           ENABLE_OPENID_SIGNUP = false;
-        ENABLE_INTERNAL_SIGNIN = true; # TODO: set false after migration complete
+          ENABLE_INTERNAL_SIGNIN = true; 
           SHOW_REGISTRATION_BUTTON = false;
           ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
           ALLOW_ONLY_INTERNAL_REGISTRATION = false;
@@ -45,5 +53,14 @@
           ENABLE_PUSH_CREATE_USER = true;
         };
       };
+      gitea-actions-runner.instances.nixos-deploy = {
+        enable = true;
+        name = "nixos-server-runner";
+        url = "https://git.proxy.${homelab.domain}";
+        tokenFile = "/mnt/data/forgejo/runner/nixos_deploy_runner_token"; 
+        labels = [ "nixos-server" ];
+        hostPackages = with pkgs; [ bash coreutils git nix ];
+      };
+    };
   };
 }